Some of the biggest names in email security technology and marketing met on Tuesday to address growing concerns about the effect of spoofed email on consumer confidence and corporate reputation. A total of 37 underwriters, including the DMA, the Email Service Provider Coalition, Microsoft, Symantec, and VeriSign, hosted the Email Authentication Implementation Summit 2005 to drive a unified response to the dilemma of maintaining safe, secure, relevant communications in a largely unregulated medium.
Craig Spiezle, director of technology care and strategy at Microsoft, quoted reports by Gartner and the Anti-Phishing Working Group that indicate more than 3,000 unique phishing sites exist, with 95 percent of all phishing coming from spoofed or forged email. Spam comprises 75 percent of all sent email, and the aggregate result of identity theft and lost confidence is estimated to be inhibiting U.S. ecommerce growth by 1 to 3 percent.
The solution, Spiezle said, is threefold:

prescriptive guidance to educate consumers and information workers;

industry collaboration to change the electronic environment and push better legislation and enforcement;

and technology to automate authentication, accreditation, and attack prevention.
Authentication of sources is only one step in retuning trust to email communication. The other element is reputation. Manav Mishra, program manager for Microsoft's MSN and Hotmail divisions, said, "Authentication is only, 'I am who I say I am.'" Copanelists Miles Libbey, antispam product manager for Yahoo!, and Travis Frazier, outbound marketing and deliverability project manager at CNET Networks, discussed technology that would assign a score to emails based on reputation for trustworthiness at several levels. "Reputation--of the message, the URLs, the sender's domain--is everything," Libbey said. Frazier mentioned reputation and accreditation providers like Habeas and ReturnPath's Bonded Sender program and Habeas as solutions that can be implemented today to verify a message's trustworthiness. According to Mishra, reputation would enable recipients to make informed choices about which senders to blacklist and which to whitelist. "Ultimate control rests in the user's defined preferences." Spiezle noted that because spammers were early adopters of authentication and digital signatures in order to look reputable, they are now easy to track and assign negative reputations to.

Some of the most alarming news came from Tom Grasso, special agent for the FBI's National Cyber Forensics and Training Alliance, who informed his audience that "more than 90 percent of Fortune 100 companies have look-alike domains registered with SPF records, solely for the purpose of spoofing email recipients." These domains, owned by criminals, provide an extra level of apparent legitimacy to phishing attacks and make them more likely to succeed. Furthermore, the infamous Sobig.f worm that circulated in 2003 wasn't merely a bit of malicious code written by a bored script-kiddie. According to Grasso, it was the first portion of a program that would turn infected computers into relays for spam email, allowing phishing attacks to reach unprecedented numbers of victims, and it would remain effectively untraceable. "Clearly, if somebody can pay a programmer to write something like this there is a huge economic vulnerability in email," Grasso said. Because of the damage potential of these attacks, he continued, "cyber-crime is the FBI's number one criminal priority."
Many of the speakers hit the same points, hoping to drive home the urgency of the situation:

Email authentication technology is available and must be deployed as soon as possible to pave the way for reputation-based security.

Authentication isn't enough by itself, though, as spammers were among the earliest adopters of certification and a certificate of authenticity doesn't say anything about the validity of the message content.

Spoofed emails are a serious drain on customer relations, and marketers must support strong enforcement of cyber laws to protect their customers and their own companies.